I have some doubts about nitrokey hsm2 setup procedure,
i got 2 units and i’m following the start guide at Nitrokey Documentation
i installed opensc OpenSC-0.24.0_win64.msi and also 32 bit version,
but sc-hsm-tool.exe raise this error:
C:\Users\Admin>“C:\Program Files\OpenSC Project\OpenSC\tools\sc-hsm-tool.exe”
Using reader with a card: Nitrokey Nitrokey HSM 0
Connecting to card in reader Nitrokey Nitrokey HSM 0…
Failed to connect to card: Unresponsive card (correctly inserted?)
Failed to connect to card: Success
does not matter what usb port i use or command line parameters, and i have the same error on both usb keys…
also certutil say same thing
C:\Users\Admin> certutil.exe -scinfo
Gestione risorse smart card in esecuzione.
Stato corrente lettore/scheda:
Lettori: 1
0: Nitrokey Nitrokey HSM 0
— Lettore: Nitrokey Nitrokey HSM 0
— Stato: SCARD_STATE_PRESENT | SCARD_STATE_MUTE
— Stato: La scheda non è riconosciuta o non risponde.
— Scheda:
=======================================================
Analisi della scheda nel lettore: Nitrokey Nitrokey HSM 0
--------------===========================--------------
Eseguito.
CertUtil: - Esecuzione comando SCInfo riuscita.
or
C:\Users\Admin>“C:\Program Files\OpenSC Project\OpenSC\tools\pkcs11-tool.exe” --login --test
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.
i definitvely miss something??
thank you in advance
Exactly the same error on a win11 PC,
i think problem cames from card ATR, is not read properly as reported here:
C:\Users\Admin>“C:\Program Files\OpenSC Project\OpenSC\tools\opensc-tool.exe” -a -v
Using reader with a card: Nitrokey Nitrokey HSM 0
Card ATR:
C:\Users\Admin>
i made a test under centos7 and the device is working properly
sc-hsm-tool report uninitialized key, please inizialize it.
but windows … no way.
i see win11 install “Microsoft Usbccid Smartcard Reader (WUDF)” driver and is working ok, so maybe is a timeout problem? anything that can be configured?
Br
artur
hey @Arturo_TheMonster ,
this looks like there is “something” is messing with the communication, in detail for me this looks like this on windows 10:
C:\Program Files\OpenSC Project\OpenSC\tools>sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM 0
Version : 3.4
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
C:\Program Files\OpenSC Project\OpenSC\tools>sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
Using reader with a card: Nitrokey Nitrokey HSM 0
C:\Program Files\OpenSC Project\OpenSC\tools> opensc-tool.exe -a -v
Using reader with a card: Nitrokey Nitrokey HSM 0
Card ATR:
3B DE 18 FF 81 91 FE 1F C3 80 31 81 54 48 53 4D ;.........1.THSM
31 73 80 21 40 81 07 1C 1s.!@...
which seems quite ok, nevertheless sometimes OpenSC is not working perfect under windows, I would also suggest to not install any additional driverscard drivers, at least with OpenSC it should work out-of-the-box, as seen in the listing above…
Any chances some security mechanism is blocking the traffic, firewall or something similar?
Did you try another OpenSC version, like 0.23 as 0.24 is very new and there might be new issues we aren’t aware of?
best
tested a win10 x64, an old win7 32 bit,a win 11 x64 and a windows server 2019 x64, all have the same problem on 2 different hsm keys, different setup, different hardware, different software running
and my first run is just install latest opensc from github and run the sc-hsm-tool on all systems
firewall on usb port don’t look realistic to me…
and on centos7 (virtualbox installation), same windows pc where it don’t work, works ok…
p.s. on the forum another user have the same problem on a mac and a brand new hsm key…
so i think there is something wrong with the new keys/firmware, or the opensc(all versions) with windows(all versions)… win7 installation is 4 years old.
also i cannot connect to the Login Required for firmware update since key is unresponsive…
Just crosschecked, there has been an update on the smartcard to 4.0 - this might be the reason for this issue - we are looking into it right now - I’ll update you through the support-ticket how to proceed.
Please give us some days to look into this…
perfect, thank you very mutch.
br
Artur
It looks like this is an OpenSC issue/PR, see this issue here on github
especially the linked post has binaries which should resolve the issue, could you try these and report if this changes something for you?
I am confused and not convinced this is the actual issue, as you reported that it also didn’t work with OpenSC 0.23, am I correct?
tested right now binaries with win7 x86 and the issue is the same, and i confirm, problem exists in 0.23 and 0.22 and 0.21
regards
Artur
1 Like
ok that’s pretty weird and likely means you are observing something different.
From our side we can reproduce “the” (or better “some”) issue with OpenSC 0.24 and Windows 10 - using the binaries I posted the problem vanished, additionally 0.23 also solves the issue.
We are currently extending the testing also to various other customers, let’s wait for their feedback and see where we go from there, sorry for the inconvenience
tested also win11 x64 and issue is the same…so x64 and x32 binaries in the post have the same problem
I recently bought a Nitrokey-HSM2 and SmartCard-HSM 4K and initialized both the same way. They look like similar but as the SmartCard is working under Windows 10, I may provide some logs if necessary.
$ /opt/local/bin/pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK03013530000 ) 00 00
token label : Certificats (UserPIN)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 4.0
serial num : DENK0301353
pin min/max : 6/15
Slot 1 (0x4): Identiv uTrust 3512 SAM slot Token [CCID Interface] (55512030...
token label : Certificats (UserPIN)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 4.0
serial num : DECC1202872
pin min/max : 6/15
$ /opt/local/bin/opensc-tool -r 0 -a
3b:de:98:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:92
$ /opt/local/bin/opensc-tool -r 1 -a
3b:de:96:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:92
Hey hey together,
I have some (hopefully) complete update on the entire issue:
There are essentially two issues happening here in parallel:
-
Any Nitrokey HSM2 shipped from beginning of January 2024 until January ~20th has an incompatibility with Windows and MacOSX, we have a new firmware in place to fix that, but the device needs to be sent in - if you have such a device and need Windows/MacOSX compatibility, please write us (support (at) nitrokey (dot) com) with your order number (SOxxxxxxx) and we’ll replace your device.
-
The OpenSC release 0.24 comes with a fresh new bug which also breaks Windows compatibility with many HSM devices (including the Nitrokey HSM2). So please use either 0.23 OR use the binaries you can find in the related issue.
thanks for your patience,
best
